blockcheck: tpws checks, more nfqws checks

This commit is contained in:
bol-van 2021-12-09 20:05:15 +03:00
parent 25221177c9
commit 719a5355b8

View File

@ -5,7 +5,10 @@ EXEDIR="$(cd "$EXEDIR"; pwd)"
ZAPRET_BASE="$EXEDIR" ZAPRET_BASE="$EXEDIR"
[ -n "$QNUM" ] || QNUM=59780 [ -n "$QNUM" ] || QNUM=59780
[ -n "$TPPORT" ] || TPPORT=993
[ -n "$TPWS_UID" ] || TPWS_UID=1
[ -n "$NFQWS" ] || NFQWS="$ZAPRET_BASE/nfq/nfqws" [ -n "$NFQWS" ] || NFQWS="$ZAPRET_BASE/nfq/nfqws"
[ -n "$TPWS" ] || TPWS="$ZAPRET_BASE/tpws/tpws"
[ -n "$MDIG" ] || MDIG="$ZAPRET_BASE/mdig/mdig" [ -n "$MDIG" ] || MDIG="$ZAPRET_BASE/mdig/mdig"
[ -n "$DESYNC_MARK" ] || DESYNC_MARK=0x40000000 [ -n "$DESYNC_MARK" ] || DESYNC_MARK=0x40000000
DOMAIN=rutracker.org DOMAIN=rutracker.org
@ -115,8 +118,8 @@ check_prerequisites()
{ {
echo \* checking prerequisites echo \* checking prerequisites
[ -x "$NFQWS" ] && [ -x "$MDIG" ] || { [ -x "$NFQWS" ] && [ -x "$TPWS" ] && [ -x "$MDIG" ] || {
echo $NFQWS or $MDIG is not available. run $ZAPRET_BASE/install_bin.sh echo $NFQWS or $MDIG or $TPWS is not available. run $ZAPRET_BASE/install_bin.sh
exitp 6 exitp 6
} }
@ -183,10 +186,24 @@ nfqws_ipt_unprepare()
# $1 - port # $1 - port
IPT_DEL POSTROUTING -t mangle -p tcp --dport $1 -m mark ! --mark $DESYNC_MARK/$DESYNC_MARK -j NFQUEUE --queue-num $QNUM IPT_DEL POSTROUTING -t mangle -p tcp --dport $1 -m mark ! --mark $DESYNC_MARK/$DESYNC_MARK -j NFQUEUE --queue-num $QNUM
} }
tpws_ipt_prepare()
{
# $1 - port
IPT OUTPUT -t nat -p tcp --dport $1 -m owner ! --uid-owner $TPWS_UID -j DNAT --to $LOCALHOST_IPT:$TPPORT
}
tpws_ipt_unprepare()
{
# $1 - port
IPT_DEL OUTPUT -t nat -p tcp --dport $1 -m owner ! --uid-owner $TPWS_UID -j DNAT --to $LOCALHOST_IPT:$TPPORT
}
nfqws_start() nfqws_start()
{ {
"$NFQWS" --dpi-desync-fwmark=$DESYNC_MARK --qnum=$QNUM "$@" >/dev/null & "$NFQWS" --dpi-desync-fwmark=$DESYNC_MARK --qnum=$QNUM "$@" >/dev/null &
} }
tpws_start()
{
"$TPWS" --uid $TPWS_UID:$TPWS_UID --bind-addr=$LOCALHOST --port=$TPPORT "$@" >/dev/null &
}
curl_test() curl_test()
{ {
@ -204,32 +221,51 @@ curl_test()
fi fi
return $code return $code
} }
nfqws_curl_test() ws_curl_test()
{ {
# $1 - test function # $1 - ws start function
# $2 - domain # $2 - test function
# $3,$4,$5, ... - nfqws params # $3 - domain
local code pid testf=$1 dom=$2 # $4,$5,$6, ... - ws params
local code pid ws_start=$1 testf=$2 dom=$3
shift shift
shift shift
echo - checking nfqws "$@" shift
nfqws_start "$@" $ws_start "$@"
pid=$! pid=$!
# let some time for tpws to initialize
sleep 1
curl_test $testf $dom curl_test $testf $dom
code=$? code=$?
killwait -9 $pid killwait -9 $pid
return $code return $code
} }
check_domain_bypass() tpws_curl_test()
{
# $1 - test function
# $2 - domain
# $3,$4,$5, ... - tpws params
echo - checking tpws $3 $4 $5 $6 $7 $8 $9
ws_curl_test tpws_start "$@"
}
nfqws_curl_test()
{
# $1 - test function
# $2 - domain
# $3,$4,$5, ... - nfqws params
echo - checking nfqws $3 $4 $5 $6 $7 $8 $9
ws_curl_test nfqws_start "$@"
}
nfqws_check_domain_bypass()
{ {
# $1 - test function # $1 - test function
# $2 - encrypted test : 1/0 # $2 - encrypted test : 1/0
# $3 - domain # $3 - domain
local pid strategy tests='fake' ttls s sec="$2" found local strategy tests='fake' ttls s sec="$2" found
[ "$sec" = 0 ] && { [ "$sec" = 0 ] && {
for s in '--hostcase' '--hostnospace' '--domcase'; do for s in '--hostcase' '--hostspell=hoSt' '--hostnospace' '--domcase'; do
nfqws_curl_test $1 $3 $s && strategy="${strategy:-$s}" nfqws_curl_test $1 $3 $s && strategy="${strategy:-$s}"
done done
} }
@ -238,18 +274,30 @@ check_domain_bypass()
if nfqws_curl_test $1 $3 $s; then if nfqws_curl_test $1 $3 $s; then
strategy="${strategy:-$s}" strategy="${strategy:-$s}"
else else
tests="$tests split fake,split" tests="$tests split fake,split2 fake,split"
[ "$sec" = 0 ] && { [ "$sec" = 0 ] && {
s="$s --hostcase" s="$s --hostcase"
nfqws_curl_test $1 $3 $s && strategy="${strategy:-$s}" nfqws_curl_test $1 $3 $s && strategy="${strategy:-$s}"
} }
for pos in 1 2 4 5 10 50 100; do
s="--dpi-desync=split2 --dpi-desync-split-pos=$pos"
if nfqws_curl_test $1 $3 $s; then
strategy="${strategy:-$s}"
break
else
[ "$sec" = 0 ] && {
s="$s --hostcase"
nfqws_curl_test $1 $3 $s && strategy="${strategy:-$s}"
}
fi
done
fi fi
s="--dpi-desync=disorder2" s="--dpi-desync=disorder2"
if nfqws_curl_test $1 $3 $s; then if nfqws_curl_test $1 $3 $s; then
strategy="${strategy:-$s}" strategy="${strategy:-$s}"
else else
tests="$tests disorder fake,disorder" tests="$tests disorder fake,disorder2 fake,disorder"
fi fi
ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL) ttls=$(seq -s ' ' $MIN_TTL $MAX_TTL)
@ -299,6 +347,36 @@ check_domain_bypass()
return 1 return 1
fi fi
} }
tpws_check_domain_bypass()
{
# $1 - test function
# $2 - encrypted test : 1/0
# $3 - domain
local s strategy sec="$2"
if [ "$sec" = 0 ]; then
for s in '--hostcase' '--hostspell=hoSt' '--split-http-req=method' '--split-http-req=method --hostcase' '--split-http-req=host' '--split-http-req=host --hostcase' \
'--hostdot' '--hosttab' '--hostnospace' '--methodspace' '--methodeol' '--unixeol' \
'--hostpad=1024' '--hostpad=2048' '--hostpad=4096' '--hostpad=8192' '--hostpad=16384'; do
tpws_curl_test $1 $3 $s && strategy="${strategy:-$s}"
done
else
for pos in 1 2 3 4 5 10 50 100; do
s="--split-pos=$pos"
tpws_curl_test $1 $3 $s && {
strategy="${strategy:-$s}"
break
}
done
fi
echo
if [ -n "$strategy" ]; then
echo "!!!!! working strategy found : tpws $strategy !!!!!"
return 0
else
echo 'working strategy not found'
return 1
fi
}
check_domain() check_domain()
{ {
@ -314,7 +392,7 @@ check_domain()
# in case was interrupted before # in case was interrupted before
nfqws_ipt_unprepare $2 nfqws_ipt_unprepare $2
killall nfqws 2>/dev/null killall nfqws tpws 2>/dev/null
echo "- checking without DPI bypass" echo "- checking without DPI bypass"
curl_test $1 $4 && return curl_test $1 $4 && return
@ -323,10 +401,20 @@ check_domain()
[ $code = $c ] && return [ $code = $c ] && return
done done
echo preparing tpws redirection
tpws_ipt_prepare $2
tpws_check_domain_bypass $1 $3 $4
echo clearing tpws redirection
tpws_ipt_unprepare $2
echo
echo preparing nfqws redirection echo preparing nfqws redirection
nfqws_ipt_prepare $2 nfqws_ipt_prepare $2
check_domain_bypass $1 $3 $4 nfqws_check_domain_bypass $1 $3 $4
echo clearing nfqws redirection echo clearing nfqws redirection
nfqws_ipt_unprepare $2 nfqws_ipt_unprepare $2
@ -346,7 +434,7 @@ ask_params()
{ {
echo echo
echo NOTE ! this test should be run with zapret or any other bypass software disabled, without VPN echo NOTE ! this test should be run with zapret or any other bypass software disabled, without VPN
echo NOTE ! this test will kill all nfqws processes. if you have already set up zapret you will need to restart it after test is complete. echo NOTE ! this test will kill all nfqws and tpws processes. if you have already set up zapret you will need to restart it after test is complete.
$ECHON "test this domain (default: $DOMAIN) : " $ECHON "test this domain (default: $DOMAIN) : "
local dom local dom
@ -361,7 +449,9 @@ ask_params()
exitp 1 exitp 1
} }
IPTABLES=iptables IPTABLES=iptables
[ "$IPV" = 6 ] && IPTABLES=ip6tables LOCALHOST=127.0.0.1
LOCALHOST_IPT=127.0.0.1
[ "$IPV" = 6 ] && { IPTABLES=ip6tables; LOCALHOST=::1; LOCALHOST_IPT=[::1]; }
ENABLE_HTTP=1 ENABLE_HTTP=1
ask_yes_no_var ENABLE_HTTP "check http" ask_yes_no_var ENABLE_HTTP "check http"
@ -484,9 +574,11 @@ sigint()
# make sure we are not in a middle state that impacts connectivity # make sure we are not in a middle state that impacts connectivity
echo echo
echo terminating... echo terminating...
tpws_ipt_unprepare 80
tpws_ipt_unprepare 443
nfqws_ipt_unprepare 80 nfqws_ipt_unprepare 80
nfqws_ipt_unprepare 443 nfqws_ipt_unprepare 443
killall nfqws 2>/dev/null killall nfqws tpws 2>/dev/null
exitp 1 exitp 1
} }